Update documentation related to SQL injection with raw queries #5735

joshbouncesecurity · 2024-03-19T11:46:23Z

Describe this PR

Basically, the docs make it seem like queryRaw and executeRaw are safe from SQL injection when it fact is possible to use them unsafely as well.

I have prepared an update to the documentation to reflect this.

I have moved the "parameterized queries" section into the "SQL Injection" section (only minor changes which you can see in this specific commit: 8575fc5
I have made SQL injection a top level section so that I can include navigation within it
I have provided example of how queryRaw and executeRaw are used safely in a simple case.
I have provided examples of how queryRaw and executeRaw can also be used unsafely.
I have provided examples of how queryRaw and executeRaw can be used safely in more complicated cases as well.

N/A

I deliberately tried to make all examples compatible with the Prisma playground so you can verify them.

vercel · 2024-03-19T11:46:28Z

@joshbouncesecurity is attempting to deploy a commit to the Prisma Team on Vercel.

A member of the Team first needs to authorize it.

jharrell

Thank you very much @joshbouncesecurity !

vercel · 2024-03-25T15:35:19Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Mar 26, 2024 3:09pm

janpio

jharrell

Few notes from our internal review. Thank you again @joshbouncesecurity

content/200-orm/200-prisma-client/100-queries/090-raw-database-access/050-raw-queries.mdx

Co-authored-by: Jon Harrell <[email protected]>

joshbouncesecurity · 2024-03-25T19:34:44Z

Thanks @janpio @jharrell I think I have made all the requested changes

content/200-orm/200-prisma-client/100-queries/090-raw-database-access/050-raw-queries.mdx

Co-authored-by: Jan Piotrowski <[email protected]>

joshbouncesecurity · 2024-03-26T13:11:24Z

Hi @janpio I think I handled all your comments except this one which I think is better not changed.

content/200-orm/200-prisma-client/100-queries/090-raw-database-access/050-raw-queries.mdx

Co-authored-by: Jan Piotrowski <[email protected]>

jharrell · 2024-03-26T15:13:44Z

Thank you again for all your help @joshbouncesecurity ! We really appreciate you working with us and a special thanks for your contribution 🙂

joshbouncesecurity · 2024-03-26T15:14:10Z

You're welcome, I always like to see more detailed security documentation :)

joshbouncesecurity added 2 commits March 19, 2024 13:32

Minor changes to Parameterized queries section

8575fc5

Significantly expand SQL injection guidance

54c3ec4

joshbouncesecurity and others added 5 commits March 19, 2024 18:06

Add Javascript and Typescript variants

df78d0d

Add additional example

10f6156

Fix example for MySQL

251a869

Clarify some code examples

97eab15

Soften initial explanation

14fd82c

jharrell approved these changes Mar 25, 2024

View reviewed changes

vercel bot deployed to Preview March 25, 2024 15:39 View deployment

janpio suggested changes Mar 25, 2024

View reviewed changes

jharrell requested changes Mar 25, 2024

View reviewed changes

joshbouncesecurity marked this pull request as draft March 25, 2024 19:20

joshbouncesecurity and others added 2 commits March 25, 2024 21:21

Apply suggestions from docs review

fa7f371

Co-authored-by: Jon Harrell <[email protected]>

Focus on Postgres

6edc580

joshbouncesecurity marked this pull request as ready for review March 25, 2024 19:31

vercel bot deployed to Preview March 25, 2024 20:11 View deployment

joshbouncesecurity requested review from jharrell and janpio March 26, 2024 06:43